On-The-Fly Abstract Interpretation to Handle Obfuscated Polymorphic\nVirus with HOPE

カテゴリ: 国際会議

論文No: MS5-2

グループ名: ACIS2015

発行日: 2015/10/15

著者名(英語): Nguyen Thien Binh (Ho Chi Minh City University of Technology),Quan Thanh Tho (Ho Chi Minh City University of Technology),Nguyen Minh Hai(Ho Chi Minh City University of Technology)

キーワード: Polymorphic virus, Binary code\nanalysis, Abstract Interpretation, Obfuscation,\nDeobfuscation, Model Checking.

要約(英語): Polymorphic virus, which is able to mutate itself into an infinite number of instances, causes existing signature-based commercial anti-virus programs become insufficient to detect. This problem motivated various logic-based approaches proposed within research community to capture malicious behaviors. Nevertheless, viruses frequently use the obfuscation techniques, makes it uneasy to form a one-size-fits-all logic for obfuscated viruses. Moreover, these methodologies are developed under a common assumption that there is an oracle that can build a complete Control Flow Graph (CFG) for binary code. This is not assuredly achieved in reality. Those difficulties thwart logic-based approaches from being precision. In this work, we propose a framework, known as HOPE (Handling Obfuscated Polymorphic malwarE) to tackle those problems. The novel part of our work is that we make an empirical assumption that popular obfuscations are free from dynamic jump. This assumption allows us to isolate possible obfuscated code segments and efficiently handle them. We had conducted initial experiment with a data set of real viruses, and achieved some promising results, especially as compared to a number of state-of-the-art tools in this field.

原稿種別: 英語

PDFファイルサイズ: 921 Kバイト